Interactive Proof System We Have Seen Interactive Proofs, in Various Disguised Forms, in the Definitions of NP, OTM, Cook Reduction and PH

Interactive Proof System We have seen interactive proofs, in various disguised forms, in the definitions of NP, OTM, Cook reduction and PH.

We will see that interactive proofs have fundamental connections to cryptography and approximate algorithms.

Computational Complexity, by Fu Yuxi Interactive Proof System 1 / 120 It was not until 1985 that the idea of computation through interaction was formally studied by two groups. 1. L. Babai, with a complexity theoretical motivation; 2. S. Goldwasser, S. Micali and C. Rackoff, with a cryptographic motivation.

Computational Complexity, by Fu Yuxi Interactive Proof System 2 / 120 An interactive proof system consists of a Prover and a Verifier. 1. Prover’s goal is to convince Verifier of the validity of an assertion through dialogue. 2. Verifier’s objective is to accept/reject the assertion based on the information it gathers from the dialogue.

Prover’s answers are adaptive. Adaptivity is the difference between a prover and an oracle.

Computational Complexity, by Fu Yuxi Interactive Proof System 3 / 120 Synopsis

1. Introduction 2. Interactive Proof with Private Coins 3. Interactive Proof with Public Coins 4. Set Lower Bound Protocol 5. IP = PSPACE 6. Public Coins versus Private Coins 7. MIP = NEXP 8. Interactive Proof for Multilinear Function 9. IP vs MIP 10. Programme Checking

Computational Complexity, by Fu Yuxi Interactive Proof System 4 / 120 Introduction

Computational Complexity, by Fu Yuxi Interactive Proof System 5 / 120 Basic Principle

A verifier’s job must be easy (polynomial time on input length), otherwise there is no need for any dialogue. A prover can be as powerful as it takes, as long as the answers it produces are short (polynomial size on input length).

A verifier is not supposed to ask too many questions. Its best bet is ask random questions. A prover is supposed to provide an answer no matter what.

Computational Complexity, by Fu Yuxi Interactive Proof System 6 / 120 Deterministic Verifier

A k-round interaction of f and g on input x ∈ {0, 1}∗, denoted by hf, gi(x), is the ∗ sequence a1,..., ak ∈ {0, 1} defined as follows:

a1 = f(x),

a2 = g(x, a1), . .

a2i+1 = f(x, a1,..., a2i), for 2i < k

a2i+2 = g(x, a1,..., a2i+1), for 2i + 1 < k . .

The output of f at the end, noted outfhf, gi(x), is f(x, a1,..., ak) ∈ {0, 1}.

f, g : {0, 1}∗ → {0, 1}∗ are TM’s, and k(n) is a polynomial.

Computational Complexity, by Fu Yuxi Interactive Proof System 7 / 120 Deterministic Proof System

We say that a language L has a k-round deterministic proof system if there is a TM V that on input x, a1,..., ak runs in poly(|x|) time, and can have a k(|x|)-round interaction with any TM P such that the following statements are valid:

∗ ∗ Completeness. x ∈ L ⇒ ∃P : {0, 1} → {0, 1} .outV(V, P) = 1, ∗ ∗ Soundness. x ∈/ L ⇒ ∀P : {0, 1} → {0, 1} .outV(V, P) = 0.

dIP contains languages with a polynomial round deterministic interactive proof system.

Computational Complexity, by Fu Yuxi Interactive Proof System 8 / 120 Deterministic Proof Systems Define NP

Fact. dIP = NP.

Every NP language has a one-round deterministic proof system. Conversely suppose L ∈ dIP. There is a P-time TM V such that ∗ ∗ x ∈ L iff ∃P : {0, 1} → {0, 1} .outV(V, P) = 1 iff

∃a1, a2,..., ak.V(x) = a1 ∧ V(x, a1, a2) = a3 ∧ ... ∧ V(x, a1,..., ak) = 1.

The verification time is polynomial.

In a deterministic proof system an almighty prover can predict the questions the verifier asks by running the verifier’s TM, and therefore can provide all answers at onego.

Computational Complexity, by Fu Yuxi Interactive Proof System 9 / 120 Interaction + Randomness

We shall only be interested in verifiers who ask clever questions.

“…in the context of interactive proof systems, asking random questions is as powerful as asking clever questions.” Goldreich

Computational Complexity, by Fu Yuxi Interactive Proof System 10 / 120 B has one red sock and one green sock. How can he convince A, who is color blind, that the socks are of different color?

Computational Complexity, by Fu Yuxi Interactive Proof System 11 / 120 Interactive Proof with Private Coins

Computational Complexity, by Fu Yuxi Interactive Proof System 12 / 120 S. Goldwasser, S. Micali, C. Rackoff. The Knowledge Complexity of Interactive Proofs. 1985.

Computational Complexity, by Fu Yuxi Interactive Proof System 13 / 120 Private Coins Model

The verifier generates an l-bits r by tossing coins:

l r ∈R {0, 1} .

The verifier of course knows r:

a1 = f(x, r), a3 = f(x, r, a1, a2),....

The prover cannot see r:

a2 = g(x, a1), a4 = g(x, a1, a2, a3),....

Both the interaction hf, gi(x) and the output outfhf, gi(x) are random variables over l r ∈R {0, 1} .

Computational Complexity, by Fu Yuxi Interactive Proof System 14 / 120 IP, Interactive Proofs with Private Coins

Suppose k is a polynomial. A language L is in IP[k(n)] if there’s a P-time PTM V that can have a k(|x|)-round interaction with any TM P and renders valid the following. Completeness.

∗ ∗ x ∈ L ⇒ ∃P : {0, 1} → {0, 1} .Pr[outV(V, P) = 1] ≥ 2/3.

Soundness.

∗ ∗ x ∈/ L ⇒ ∀P : {0, 1} → {0, 1} .Pr[outV(V, P) = 1] ≤ 1/3.

S c The class IP is defined by c≥1 IP[cn ].

Computational Complexity, by Fu Yuxi Interactive Proof System 15 / 120 BPP Verifier, PSPACE Prover

1. A verifier is a BPP machine. 2. We may assume that a prover is a PSPACE machine. ▶ There is an optimal prover. ▶ A single PSPACE prover suﬀices for all x ∈ L.

An almighty prover knows Verifier’s algorithm. ▶ Prover enumerates all answers a2, a4,..., and uses Verifier’s algorithm to calculate the percentage of the random strings that make verifier to accept.

Computational Complexity, by Fu Yuxi Interactive Proof System 16 / 120 IP, Interactive Proofs with Private Coins

L ∈ IP ⇔ there is an interactive proof system of a verifier V ∈ BPP and a prover P ∈ PSPACE that interact for a polynomial round and renders valid the following. Completeness. x ∈ L ⇒ Pr[outV(V, P) = 1] ≥ 2/3. Soundness. x ∈/ L ⇒ Pr[outV(V, P) = 1] ≤ 1/3.

Computational Complexity, by Fu Yuxi Interactive Proof System 17 / 120 IP ⊆ PSPACE

Proposition. IP ⊆ PSPACE.

Both a PSPACE machine and a BPP machine can be simulated in polynomial space.

Computational Complexity, by Fu Yuxi Interactive Proof System 18 / 120 Robustness of IP

Fact. IP remains unchanged if we replace the completeness parameter 2/3 by 1 − 2−ns and soundness parameter 1/3 by 2−ns . Proof. Repeat the protocol O(ns) times. Majority rule. Chernoff bound.

Since there is an optimal prover, it doesn’t matter if a protocol is repeated sequentially or in parallel.

Computational Complexity, by Fu Yuxi Interactive Proof System 19 / 120 Robustness of IP

Fact. Allowing prover to use a private coin does not change IP.

By average principle we can construct a deterministic prover from a probabilistic prover that is as good as the latter.

Computational Complexity, by Fu Yuxi Interactive Proof System 20 / 120 Perfect Completeness

An interactive proof system has perfect completeness if its completeness parameter is 1. An interactive proof system has perfect soundness if its soundness parameter is 0.

Computational Complexity, by Fu Yuxi Interactive Proof System 21 / 120 Perfect Soundness is Too Strong

1. IP with Perfect Completeness = IP. 2. IP with Perfect Soundness = NP.

1. IP ⊆ PSPACE. A problem in IP is Karp reducible to TQBF. TQBF has an interactive proof system with perfect completeness (using the Sumcheck protocol). 2. If x ∈ L, there exists a ‘yes’ certificate. If x ∈/ L, the verifier always says ‘no’.

Computational Complexity, by Fu Yuxi Interactive Proof System 22 / 120 Graph Non-Isomorphism

Let GI be the Graph Isomorphism problem; it is not known to be in P. Let GNI = GI, it is not known to be in NP.

The nodes of a graph are represented by the numbers 1, 2,..., n.

The isomorphism of G0 to G1 is indicated by π(G0) = G1, where π is a permutation of the nodes of G0.

Computational Complexity, by Fu Yuxi Interactive Proof System 23 / 120 Graph Non-Isomorphism Protocol

Protocol: Graph Non-Isomorphism

V: Pick i ∈R {0, 1}. Generate a random permutation graph H of Gi. Send H to P.

P: Identify which of G0, G1 was used to produce H and send the index j ∈ {0, 1} to V. V: Accept if i = j; reject otherwise.

Computational Complexity, by Fu Yuxi Interactive Proof System 24 / 120 Graph Non-Isomorphism

Theorem. GNI ∈ IP. Proof. If G0 ' G1, the prover’s guess is as good as anyone’s guess. If G0 6' G1, the prover can force the verifier to accept.

1. O. Goldreich, S. Micali, A. Wigderson. Proofs that Yield Nothing but Their Validity and a Methodology of Cryptographic Protocol Design. FOCS 1986.

Computational Complexity, by Fu Yuxi Interactive Proof System 25 / 120 Quadratic Non-Residuosity

A number a is a quadratic residue modulo p if there is some number b such that a ≡ b2 (mod p). ▶ QR = {(a, p) | p is prime and ∃b.a ≡ b2 (mod p)} is in NP.

Let QNR = QR. The problem QNR is not known to be in NP.

Computational Complexity, by Fu Yuxi Interactive Proof System 26 / 120 Quadratic Non-Residuosity Protocol

Input. 1. An odd prime number p and a number a. Goal. 1. The prover tries to convince the verifier that a ∈ QNR. 2. The verifier should reject with good probability if a ∈/ QNR.

V: Pick r < p and i ∈ {0, 1} randomly. If i = 0 then send r2 mod p to P; otherwise send ar2 mod p to P. P: Identify which case it is and send a number j ∈ {0, 1} to V accordingly. V: Accept if j = i; reject otherwise.

Computational Complexity, by Fu Yuxi Interactive Proof System 27 / 120 Quadratic Non-Residuosity

Theorem. QNR ∈ IP.

If a is a quadratic residue, then ar2, like r2, is a random quadratic residue modulo p. In this case prover can only guess. If a is not a quadratic residue, then ar2, unlike r2, is a random non-quadratic residue modulo p. In this case prover can force verifier to accept.

The argument is with the finite field Fp.

1. S. Goldwasser, S. Micali, and C. Rackoff. The Knowledge Complexity of Interactive Proofs. STOC 1985.

Computational Complexity, by Fu Yuxi Interactive Proof System 28 / 120 Interactive Proof for Permanent

Suppose A = (aj,k)1≤j,k≤n is an n × n matrix. According to the expansion in cofactors,

Xn perm(A) = a1i · perm(A1,i). i=1 Computing the permanent of an n×n matrix reduces to computing the permanents of n matrices of dimension (n−1)×(n−1).

We design an interactive proof system for perm(A) using arithmetic method.

Computational Complexity, by Fu Yuxi Interactive Proof System 29 / 120 Interactive Proof for Permanent

We look for an (n−1)×(n−1)-matrix DA(x) such that DA(i) = A1,i. ▶ (DA(x))j,k is a univariate polynomial of degree n − 1, and ▶ 2 perm(DA(x)) is a univariate polynomial of degree (n − 1) .

Vandermonde matrix is nonsingular. Verifier can calculate (DA(x))j,k by solving the following.       1 1 ... 1 1 b0 a(j+1)(k+1) . . . . .      . . . . .   .   .  . . . . .   .   .  1 k ... kn−2 kn−1        bk a  n−2 n−1    (j+1)(k+1) 1 k + 1 ... (k + 1) (k + 1)    =     bk+1  a(j+1)k  . . . . .   .   .  . . . . .   .   .  . − − 1 n . nn 2 nn 1 bn−1 a(j+1)k

Computational Complexity, by Fu Yuxi Interactive Proof System 30 / 120 Interactive Proof for Permanent

Protocol: Permanent

Condition: Both parties know a number k and a matrix A. Prover’s goal is to show that k = perm(A). Verifier should reject with good probability if k =6 perm(A).

2 P: Send to V a polynomial g(x) of degree (n − 1) , which is supposedly perm(DA(x)). P n · ∈ V: Check if k = i=1 a1i g(i). If not, reject; otherwise pick up b R GF(p) and ask P to prove g(b) = perm(DA(b)).

One has to deal with an exponential number of monomials to calculate g(x). However verifier can calculate the matrix DA(x).

Computational Complexity, by Fu Yuxi Interactive Proof System 31 / 120 Interactive Proof for Permanent

Let Lperm be the language hA, p, ki | p > n4, k = perm(A), A is an n × n matrix over GF(p) .

Theorem. Lperm ∈ IP. Proof. If n ≤ 3, use brutal force. Otherwise use the permanent protocol. Verifier accepts with probability 1if k = perm(A). 1 The error rate is bounded by 3 . [see next slide.]

Computational Complexity, by Fu Yuxi Interactive Proof System 32 / 120 Interactive Proof for Permanent

Suppose k =6 perm(A) and the prover sends a fake g(x). ▶ 2 g(x) − perm(DA(x)) has at most (n − 1) roots. ▶ ≤ (n−1)2 The probability of choosing a b such that g(b) = perm(DA(b)) is p . ▶ If g(b) =6 perm(DA(b)) and Prover’s foul play has not been caught, he is left with the task to prove g(b) = perm(DA(b)). If Prover manages to get away with all his previous foul plays, he gets caught in the end.

The probability of the verifier reaching a wrong answer is less than

(n − 1)2 (n − 2)2 42 n3 1 1 + + ... + < < < . p p p p n 3

Computational Complexity, by Fu Yuxi Interactive Proof System 33 / 120 Interactive Proof with Public Coins

Computational Complexity, by Fu Yuxi Interactive Proof System 34 / 120 “We can formulate a decision problem under uncertainty as a new sort of game, in which one opponent is ‘disinterested’ and plays at random, while the other tries to pick a strategy which maximizes the probability of winning – a ‘game against Nature’.”

1. Christos Papadimitriou. Games Against Nature. FOCS 1983.

Computational Complexity, by Fu Yuxi Interactive Proof System 35 / 120 László Babai. Trading Group Theory for Randomness. STOC 1985.

Computational Complexity, by Fu Yuxi Interactive Proof System 36 / 120 Interactive Proofs with Public Coins

In a public coins system, the verifier’s message is identical to the outcome of the coins tossed at the current round.

▶ Whatever verifier computes, prover can do the same. ▶ Verifier’s actions except for its final decision are oblivious of prover’s messages.

Computational Complexity, by Fu Yuxi Interactive Proof System 37 / 120 Arthur-Merlin Game

Arthur-Merlin Game = Interactive Proof with Public Coins ▶ Arthur/Nature is the verifier who tosses public coins, and ▶ Merlin is the prover.

Suppose k : N → N is a polynomial. Obviously

AM[k(n)], MA[k(n)] ⊆ IP[k(n)].

Computational Complexity, by Fu Yuxi Interactive Proof System 38 / 120 Notational Convention

MA, AM, AMA, MAMAMA,...

Computational Complexity, by Fu Yuxi Interactive Proof System 39 / 120 Switching Lemma. MA ⊆ AM.

Suppose L ∈ MA. The completeness is not affected since

x ∈ L ⇒ ∃a.Prr[V(x, a, r) = 1] ≥ 1 − ϵ ⇒ Prr[∃a.V(x, a, r) = 1] ≥ 1 − ϵ.

Perfect Completeness would survive. Soundness is affected though.

|a| x ∈/ L ⇒ ∀a.Prr[V(x, a, r) = 1] ≤ ϵ ⇒ Prr[∃a.V(x, a, r) = 1] ≤ 2 ϵ.

Since a is of polynomial size, verifier can reduce the error rate by ▶ repeating the protocol for a polynomial number of time and ▶ applying majority rule after getting the answers.

Computational Complexity, by Fu Yuxi Interactive Proof System 40 / 120 Collapse Theorem

Theorem (Babai, 1985). AM[k(n) − 1] = MA[k(n)] = AM[k(n)] for k(n) > 2.

Both AM(k(n) − 1) ⊆ AM(k(n)) and AM(k(n) − 1) ⊆ MA(k(n)) are obvious. Suppose L ∈ AM(k(n)) has an interactive proof system that has a fragment of type AMAMA. Let x be the input, and m be the length of Merlin’s answer.

Let (a1, b1, a2, b2, a3) be part of an interactive proof. We switch the 2nd and the 3rd actions.

1 t ′ 1 t ′ (a1a2 ... a2, b1b2 ... b2, ia3),

followed by randomly selecting i ∈R [t] to continue. The number of round is reduced by 2.

Computational Complexity, by Fu Yuxi Interactive Proof System 41 / 120 Collapse Theorem

Before the switching, the expected value of Arthur’s answer is

def A Ax = Ea2 [ (x,..., b1, a2,...)].

After the switching, the expected value of Arthur’s answer is A ′ i Ea1,...,at max Et[ (x,..., b1, a2,...)] , (1) 2 2 ′ ∈{ }m b1 0,1 which is bounded by " ( )# Xt 1 A ′ i Ea1,...,at max (x,..., b1, a2,...) . 2 2 b′ ∈{0,1}m t 1 i=1

Computational Complexity, by Fu Yuxi Interactive Proof System 42 / 120 Collapse Theorem

After switching the probability that the expected value increases at least δ is " # n o A ′ i − Pra1,...,at max Et[ (x,..., b1, a2,...)] Ax > δ 2 2 b′ ∈{0,1}m " 1 # Xt ′ m ′ i ≤ Pr 1 t ∃b1 ∈ {0, 1} . A(x,..., b1, a2,...) − tAx > tδ a2,...,a2 i=1 − 2 ≤ 2m· 2·e tδ /3 (2)

− < 2 h.

where the third inequality is due to union bound and Chernoff bound. The fourth inequality is valid by setting t = O((m + h)/δ2).

∈ ≤ −h ≤ 1 −h If x / L, error probability (1) < Ax + δ + 2 8 by taking δ = 2 = 1/8, assuming the 1 error probability is 8 before switching.

Computational Complexity, by Fu Yuxi Interactive Proof System 43 / 120 Arthur-Merlin Hierarchy Collapses

Theorem (Babai, 1985). AM[k] = AM[2] for all constant k > 2.

Computational Complexity, by Fu Yuxi Interactive Proof System 44 / 120 By Babai Theorem the following abbreviation makes sense.

AM def= AM[2].

Computational Complexity, by Fu Yuxi Interactive Proof System 45 / 120 Speedup Theorem for Unbounded Interaction

Theorem (Babai and Moran, 1988). AM[2k(n)] = AM[k(n)] if k(n) ≥ 2.

The overall error probability is bounded by k k 2 1 A + ·δ + ·2m· 2·e−tδ /3 < , x 4 4 2

1 4 by taking δ = 4k and t = 48k m.

Computational Complexity, by Fu Yuxi Interactive Proof System 46 / 120 NP ⊆ MA ⊆ AM can be interpreted as saying that MA and AM are randomized analogues of NP. ▶ In AM the randomness is announced first. ▶ In MA the randomness comes afterwards.

If BPP = P, then AM = NP.

Computational Complexity, by Fu Yuxi Interactive Proof System 47 / 120 1. Shafi Goldwasser, Silvio Micali, and Charles Rackoff. The Knowledge Complexity of Interactive Proofs. STOC ’85. 2. L. Babai and S. Moran. Arthur-Merlin Games: A Randomized Proof System, and a Hierarchy of Complexity Classes. JCSS, 1988.

The authors of the two papers shared the first Gödel Prize (1993).

Computational Complexity, by Fu Yuxi Interactive Proof System 48 / 120 1. Shafi Goldwasser, Silvio Micali, and Charles Rackoff. The Knowledge Complexity of Interactive Proofs. STOC ’85. 2. L. Babai and S. Moran. Arthur-Merlin Games: A Randomized Proof System, and a Hierarchy of Complexity Classes. JCSS, 1988.

The authors of the two papers shared the first Gödel Prize (1993).

Computational Complexity, by Fu Yuxi Interactive Proof System 49 / 120 Set Lower Bound Protocol

Computational Complexity, by Fu Yuxi Interactive Proof System 50 / 120 Set lower bound protocol is based on Carter and Wegman’s universal hash function.

1. J. Carter and M. Wegman. Universal Classes of Hash Functions. Journal of Computer and System Sciences. 143-154, 1979. (FOCS 1977)

Computational Complexity, by Fu Yuxi Interactive Proof System 51 / 120 Pairwise Independent Hash Function

n k Let Hn,k be a collection of hash functions from {0, 1} to {0, 1} .

We say that Hn,k is pairwise independent if the following hold: ▶ For each x ∈ {0, 1}n and each y ∈ {0, 1}k,

1 Pr ∈ H [h(x) = y] = . h R n,k 2k ▶ For all x, x′ ∈ {0, 1}n with x =6 x′ and all y, y′ ∈ {0, 1}k,

′ ′ 1 Pr ∈ H [h(x) = y ∧ h(x ) = y ] = . h R n,k 22k

Computational Complexity, by Fu Yuxi Interactive Proof System 52 / 120 Eﬀicient Pairwise Independent Hash Function

Theorem. For every n, let Hn,n be {ha,b}a,b∈GF(2n), where for all a, b the function n n ha,b : GF(2 ) → GF(2 ) is defined by

ha,b(x) = a · x + b.

Then the collection Hn,n is eﬀicient pairwise independent.

We get Hn,k from Hn,n/Hk,k by projection/embedding.

Computational Complexity, by Fu Yuxi Interactive Proof System 53 / 120 Motivation

Assume S ⊆ {0, 1}m and 2k−2 < K ≤ 2k−1.

k Suppose |S| ≥ K and y ∈R {0, 1} . By pairwise independence, X |S| K 1 Pr ∈ H [y ∈ h(S)] = Pr ∈ H [h(x) = y] = ≥ > . h R m,k h R m,k 2k 2k 4 x∈S By taking κ = k/(2 − log 3) one gets " # [κ κ 3 −k Pr ∈ H y ∈/ h (S) < = 2 . h1,...,hκ R m,k i 4 i=1 Hence " # [κ ∃ ∈ { }k ∈ Prh1,...,hκ∈RHm,k y 0, 1 .y / hi(S) < 1. i=1 S κ { }k ∈ H Conclude that i=1 hi(S) = 0, 1 for some h1,..., hκ m,k.

Computational Complexity, by Fu Yuxi Interactive Proof System 54 / 120 Motivation

| | ≤ K ≥ Suppose S p(k) for a polynomial p(k) 2κ. For all h1,..., hκ,

[κ Xκ K 1 1 h (S) ≤ |h (S)| ≤ κ ≤ ·2k = · {0, 1}k . i i p(k) 4 4 i=1 i=1

Computational Complexity, by Fu Yuxi Interactive Proof System 55 / 120 Set Lower Bound Protocol.

M: Send h1,..., hκ to Arthur. k A: Pick y ∈R {0, 1} . Send y to Merlin. M: Send i, x to Arthur, together with a certificate that x ∈ S.

Arthur accepts if hi(x) = y and the certificate validates x ∈ S; otherwise it rejects.

1 The protocol has perfect completeness. Its soundness parameter is 4 .

Computational Complexity, by Fu Yuxi Interactive Proof System 56 / 120 Set Lower Bound Protocol

Input. 1. Numbers K, k such that 2k−2 < K ≤ 2k−1. 2. S ⊆ {0, 1}m such that the membership in S can be certified. Goal. 1. Prover tries to convince verifier that |S| ≥ K. | | ≤ K 2. Verifier should reject with good probability if S 2 .

Let ℓ = log k + 2. We transform in P-time the question “|S| ≥ K or |S| ≤ K/2 ? ” to

“|Sℓ| ≥ Kℓ or |Sℓ| ≤ Kℓ/2ℓ ? ”.

Then apply the protocol defined on previous slide.

Computational Complexity, by Fu Yuxi Interactive Proof System 57 / 120 GNI is in AM

Let S be {hH, πi | H ' G0 or H ' G1, and π is an automorphism}. Observe that if G0 6' G1 then |S| = 2n! and if G0 ' G1 then |S| = n!. Now apply the set lower bound protocol.

1. Suppose hH, πi is coded up by binary string of length m. Then S ⊆ {0, 1}m. 2. Checking the membership of S can be done in P-time.

Computational Complexity, by Fu Yuxi Interactive Proof System 58 / 120 Can GI be NP-Complete?

p p Theorem. If GI is NP-complete, then Σ2 = Π2.

1. R. Boppana, J. Håstad, and S. Zachos. Does co-NP Have Short Interactive Proofs? Information Processing Letters, 25:127-132, 1987.

Computational Complexity, by Fu Yuxi Interactive Proof System 59 / 120 Proof of Boppana-Håstad-Zachos Theorem

If GI is NP-complete, then GNI is coNP-complete. It follows that ▶ there is a reduction function f such that for every formula φ with 2n variables, ∀yφ(y) if and only if f(∀yφ(y)) ∈ GNI. P ∃ ∈ { }n ∀ ∈ { }n Consider an arbitrary 2 SAT formula ψ = x 0, 1 . y 0, 1 .φ(x, y). Now

ψ iff ∃x ∈ {0, 1}n.g(x) ∈ GNI,

where g(x) is f(∀yφ(x, y)).

GNI has a two round Arthur-Merlin proof system with perfect completeness and soundness error < 2−n. Let ▶ A be Arthur’s algorithm, and ▶ m be the length of Arthur’s questions and Merlin’s answers.

Computational Complexity, by Fu Yuxi Interactive Proof System 60 / 120 Proof of Boppana-Håstad-Zachos Theorem

We claim that ψ is true if and only if

∀q ∈ {0, 1}m.∃x ∈ {0, 1}n.∃a ∈ {0, 1}m.A(g(x), q, a) = 1, (3) P Q ⊆ which would show 2 2. Notice that ψ is true if and only if

∃x ∈ {0, 1}n.∀q ∈ {0, 1}m.∃a ∈ {0, 1}m.A(g(x), q, a) = 1. (4)

If (3) holds, that is ∀q ∈ {0, 1}m.∃x ∈ {0, 1}n.∃a ∈ {0, 1}m.A(g(x), q, a) = 1, there is m−n m some x0 such that for at least 2 number of q ∈ {0, 1} ,

m ∃a ∈ {0, 1} .A(g(x0), q, a) = 1. ≥ 1 This implies that the error rate for the input g(x0) is 2n if ψ does not hold, which would contradict to our assumption. So ψ must be true.

Computational Complexity, by Fu Yuxi Interactive Proof System 61 / 120 IP = PSPACE

Computational Complexity, by Fu Yuxi Interactive Proof System 62 / 120 C. Lund, L. Fortnow, H. Karloff, and N. Nisan. ▶ Algebraic Methods for Interactive Proof Systems. FOCS 1990.

A. Shamir. ▶ IP = PSPACE. FOCS 1990.

L. Babai, L. Fortnow, and L. Lund. ▶ Nondeterministic Exponential Time has Two-Prover Interactive Protocols. FOCS 1990.

Computational Complexity, by Fu Yuxi Interactive Proof System 63 / 120 We only have to prove TQBF ∈ IP. We start by looking at an interactive proof system for a decision version of SAT.

Computational Complexity, by Fu Yuxi Interactive Proof System 64 / 120 Counting the Number of Satisfying Assignments

Let #ϕ be the number of the satisfying assignments of ϕ. ▶ ϕ is a tautology iff #ϕ = 2n iff   X   n ϕ(b1,..., bn) = 2 .

b1,...,bn∈{0,1}

Let #SATD be {hϕ, Ki | ϕ is a 3CNF and K = #ϕ}. ▶ This is a decision version of #SAT. ▶ An interactive proof system for #SATD solves SAT as well.

Computational Complexity, by Fu Yuxi Interactive Proof System 65 / 120 Arithmetization

Suppose ϕ = ϕ1 ∧ ... ∧ ϕm is a 3CNF with n variables. n 2n Let X1,..., Xn be variables over a finite field GF(p), where p is a prime in (2 , 2 ].

Arithmetization refers to for example the following conversion:

xi ∨ xj ∨ xk 7→ 1 − (1 − Xi)Xj(1 − Xk).

We let 1 represent the truth value and 0 the false value.

We write pj(X1,..., Xn) for the arithmetization of ϕj. Q We write pϕ(X1,..., Xn) for j∈[m] pj(X1,..., Xn), the arithmetization of ϕ. ▶ |pϕ(X1,..., Xn)| = poly. But if we open up the brackets in pϕ(X1,..., Xn), we would in general get an expression of exponential size.

Computational Complexity, by Fu Yuxi Interactive Proof System 66 / 120 Arithmetization

Clearly X X X n #ϕ = ... pϕ(b1,..., bn) ≤ 2 .

b1∈{0,1} b2∈{0,1} bn∈{0,1}

Computational Complexity, by Fu Yuxi Interactive Proof System 67 / 120 Suppose g(X1,..., Xn) is a degree d polynomial, K an integer.

We show how the prover can provide an interactive proof for X X X K = ... g(b1,..., bn). (5)

b1∈{0,1} b2∈{0,1} bn∈{0,1}

Notice that X X X ... g(X1, b2,..., bn) (6)

b2∈{0,1} b3∈{0,1} bn∈{0,1}

is a univariate polynomial h(X1) whose degree is bounded by d.

▶ It takes exponential time to calculate (6). ▶ Prover can produce the small size polynomial h(X1) equal to (6). For this polynomial (5) is equivalent to h(0) + h(1) = K.

Computational Complexity, by Fu Yuxi Interactive Proof System 68 / 120 Sumcheck Protocol

Protocol: Sumcheck

A: If n = 1, check g(0) + g(1) = K. If so accept; otherwise reject. If n ≥ 2, ask M to send some polynomial equal to (6).

M: Send some polynomial s(X1) to A. A: Reject if s(0) + s(1) =6 K; otherwise pick a ∈ GF(p) randomly. Recursively use the protocol to check X X X s(a) = ... g(a, b2,..., bn).

b2∈{0,1} b3∈{0,1} bn∈{0,1}

Sumcheck is a public coins protocol with perfect completeness.

Computational Complexity, by Fu Yuxi Interactive Proof System 69 / 120 Sumcheck Protocol

Claim. If (5) is true, then Pr[A accepts] = 1.

A ≥ − d n−1 Claim. If (5) is false, then Pr[ rejects] (1 p ) . Proof. Assume (5) is false. For n = 1, Arthur rejects with probability 1. ▶ If Merlin returns h(X1), verifier rejects with probability 1. ▶ If Merlin returns s(X1) =6 h(X1), then s(X1) − h(X1) has at most d roots. ▶ Since Arthur picks up a randomly, Pr[s(a) =6 h(a)] ≥ 1 − d/p. 6 ≥ − d n−1 If s(a) = h(a), Arthur rejects with probability (1 p ) by induction.

Computational Complexity, by Fu Yuxi Interactive Proof System 70 / 120 Interactive Proof for #SATD

Theorem (Lund, Fortnow, Karloff, Nisan, 1990). #SATD ∈ IP.

Use the Sumcheck protocol.

Computational Complexity, by Fu Yuxi Interactive Proof System 71 / 120 Arithmetization for TQBF

Given a quantified Boolean formula

ψ = ∀x1∃x2∀x3 ... ∃xn.ϕ(x1,..., xn),

the arithmetization of ψ ⇔ > could be Y X Y X ... pϕ(b1,..., bn) =6 0. (7)

b1∈{0,1} b2∈{0,1} b3∈{0,1} bn∈{0,1}

The problem is that the degree of (7) could be too high.

Computational Complexity, by Fu Yuxi Interactive Proof System 72 / 120 Arithmetization for TQBF

The idea is to use linearization operators

− LXi (p) = (1 Xi)p0 + Xip1, ∀ Xi (p) = p0p1, ∃ − − − Xi (p) = 1 (1 p0)(1 p1)

to obtain a multilinear polynomial, where

p0 = p(X1,..., Xi−1, 0, Xi+1,..., Xn),

p1 = p(X1,..., Xi−1, 1, Xi+1,..., Xn).

1. A. Shen. IP=PSPACE: Simplified Proof. J.ACM, 1992.

Computational Complexity, by Fu Yuxi Interactive Proof System 73 / 120 Reduce the inequality (7) in O(n2) time to the equality:

∀ ∃ ∀ ∃ X1 LX1 X2 LX1 LX2 ... Xn−1 LX1 ...LXn−1 Xn LX1 ...LXn .pϕ(X1,..., Xn) = 1. (8)

Then apply the modified sumcheck protocol to check if(8) holds.

Sumcheck Protocol:

1. Merlin sends s1(X1) to Arthur, meant to be the openup of the red-expression in (8).

2. Arthur rejects if s1(0)·s1(1) =6 1. Otherwise he chooses r1 ∈R GF(p) and asks Merlin to prove ∃ ∃ { } (LX1 X2 LX1 LX2 ... Xn LX1 ..LXn .pϕ(X1,..., Xn)) r1/X1 = s1(r1). (9)

3. Merlin sends s2(X1) to Arthur, meant to be the openup of the blue-expression in (9). − · · 6 ′ ∈ 4. Arthur rejects if (1 r1) s2(0) + r1 s2(1) = s1(r1). Otherwise he chooses r1 R GF(p) and { ′ } ′ asks Merlin to prove blue-expression r1/X1 = s2(r1). 5. …

Computational Complexity, by Fu Yuxi Interactive Proof System 74 / 120 IP = PSPACE

Theorem (Shamir 1990). IP = PSPACE.

Using Sumcheck protocol one sees that TQBF is in IP.

Computational Complexity, by Fu Yuxi Interactive Proof System 75 / 120 S c Theorem. IP = c≥1 AM[cn ].

We have defined an Arthur-Merlin game for TQBF, which is PSPACE-complete. Hence [ IP = PSPACE ⊆ AM[cnc] ⊆ IP. c≥1

The theorem does not say that a constant round private coin interactive system can be simulated by a constant round public coin interactive system.

Computational Complexity, by Fu Yuxi Interactive Proof System 76 / 120 Remark on the Proof of IP = PSPACE

▶ The proof of IP = PSPACE does not relativize. 1. Fortnow and Sipser proved in 1988 that ∃O. coNPO 6⊆ IPO. 2. If IP = PSPACE had a proof that would relativize, then coNP ⊆ IP would have a proof that would relativize. ▶ IP = PSPACE implies that every problem in IP has an interactive proof with perfect completeness. But …

Computational Complexity, by Fu Yuxi Interactive Proof System 77 / 120 There e-mail announcements were made within a month of 1989. 1. N. Nisan. “Co-SAT Has Multi-Prover Interactive Proofs”, Nov. 27. 2. C. Lund, L. Fortnow, H. Karloff, and N. Nisan. “The Polynomial Time Hierarchy Has Interactive Proofs”, Dec. 13. 3. A. Shamir. “IP=PSPACE”, Dec. 26.

L. Babai. E-mail and the unexpected power of interaction. In Proc. The Fifth Annual Structure in Complexity Theory Conference, 1990.

Computational Complexity, by Fu Yuxi Interactive Proof System 78 / 120 Public Coins versus Private Coins

Computational Complexity, by Fu Yuxi Interactive Proof System 79 / 120 Theorem (Goldwasser-Sipser). IP[k(n)] = AM[k(n)] for all polynomial k(n) > 2.

Goldwasser and Sipser. Private Coins versus Public Coins in Interactive Proof Systems. STOC 1986.

Computational Complexity, by Fu Yuxi Interactive Proof System 80 / 120 The key to the proof of Goldwasser-Sipser Theorem is that Merlin can apply the set lower bound protocol to convince Arthur that the chance for Prover to make Verifier believe is big if x ∈ L.

Computational Complexity, by Fu Yuxi Interactive Proof System 81 / 120 Proof of Goldwasser-Sipser Theorem

Let L be accepted by a 2k round private coin interactive proof system (V, P). Let h be the length of V’s questions and P’s answers, ℓ be the length of random strings. Without loss of generality suppose 2kh < ℓ. Let x be the input.

We will design a O(2k) round Arthur-Merlin game (A, M) that accepts L. ▶ (A, M) simulates every round of (V, P) by six rounds. ▶ Merlin will convince Arthur that in each round of (V, P) there are many random strings that force Verifier to say “yes”.

Computational Complexity, by Fu Yuxi Interactive Proof System 82 / 120 Proof of Goldwasser-Sipser Theorem

Let γi = a1, b1,..., ai, bi denote the initial 2i round dialogue between V and P.

Let γ0 be the empty string ϵ.

ℓ Let Yesx(γi) be the set of all the random strings r ∈ {0, 1} that make Verifier say “yes” by a dialogue whose initial 2i rounds are γi.

By definition, X |Yesx(γi)| = |Yesx(γi, ai+1)|. (10) h ai+1∈{0,1}

Since P is optimal,

|Yesx(γi, ai+1)| = max |Yesx(γi, ai+1, bi+1)|. (11) h bi+1∈{0,1}

Computational Complexity, by Fu Yuxi Interactive Proof System 83 / 120 Proof of Goldwasser-Sipser Theorem

ℓ Define 2 = K0 ≥ ... ≥ Kk such that Ki ≤ |Yesx(γi)|. Suppose K1,..., Ki have been defined.

h Classify into ℓ groups the elements a ∈ {0, 1} satisfying |Yesx(γi, a)| > 0. For j ∈ {0} ∪ [j − 1], h j j+1 Cj = a ∈ {0, 1} | 2 ≤ |Yesx(γi, a)| < 2 .

Since |Yesx(γi)| ≥ Ki, there is some j such that |{r ∈ Yesx(γi, a) | a ∈ Cj}| ≥ Ki/ℓ. Hence K |C | > i . (12) j 2j+1ℓ

For any a ∈ Cj, one has j |Yesx(γi, a)| ≥ 2 . (13)

h j j For each a in (13), some b ∈ {0, 1} exists such that |Yesx(γi, a, b)| ≥ 2 . Let Ki+1 = 2 .

We will use the Set Lower Bound Protocol to prove (12) and (13).

Computational Complexity, by Fu Yuxi Interactive Proof System 84 / 120 Proof of Goldwasser-Sipser Theorem

Protocol input at stage i: input x, private coin interactive proof system (V, P), the 2i-round dialogue γi = a1, b1,..., ai, bi, and K0 ≥ ... ≥ Ki.

M: Send j and h1,..., hκ to A. g A: Send α ∈R {0, 1} to M ∈ { }ℓ ∈ ′ ′ M: Send s 0, 1 , f [κ] and γ = ai+1, bi+1,..., ak, bk to A. Also send h1,..., hκ′ to A. j+2 A: If V(s, γiγ) = 0 or hf(s) =6 α, reject; otherwise send β ∈R {0, 1} to M. ∈ { }ℓ ′ ∈ ′ ′ ′ ′ ′ ′ M: Send t 0, 1 , f [κ ] and γ = ai+2, bi+2,..., ak, bk to A. V ′ ′ 6 j A: If (t, γiai+1bi+1γ ) = 0 or hf′ (t) = β, reject; otherwise go to stage i + 1 with Ki+1 = 2 and γi+1 = γi, ai+1, bi+1.

′ ′ − h1,..., hκ and h1,..., hκ′ are pairwise independent Hash functions; κ = g/(2 log 3) and g g−2 ≤ Ki g−1 ′ − satisfies 2 2j+1ℓ < 2 ; and κ = (j + 2)/(2 log 3).

Computational Complexity, by Fu Yuxi Interactive Proof System 85 / 120 Proof of Goldwasser-Sipser Theorem

The protocol has perfect completeness.

V P 1 ∈ Suppose ( , ) has an error probability p(ℓ)k+1 for a large polynomial p. Suppose x / L. Now 1 1 |Yes (ϵ)| < ·2ℓ = ·K . x p(ℓ)k+1 p(ℓ)k+1 0 Assume the following holds with large probability: 1 |Yes (γ )| < ·K . x i p(ℓ)k+1−i i

− 1 We prove that (14) is valid with probability 1 3k . 1 |Yes (γ )| < ·K . (14) x i+1 p(ℓ)k+1−(i+1) i+1

Computational Complexity, by Fu Yuxi Interactive Proof System 86 / 120 Proof of Goldwasser-Sipser Theorem n o Let S′ = a | |Yes (γ , a)| ≥ 1 ·K . By (10) and the inductive hypothesis, one has x i p(ℓ)k+1−(i+1) i+1

′ 1 1 S · ·K ≤ |Yes (γ )| < ·K . p(ℓ)k+1−(i+1) i+1 x i p(ℓ)k+1−i i

According to the above inequality and (12),

′ 1 1 1 |S | < · ·K < 2ℓ· ·|A |. p(ℓ) 2j i p(ℓ) j Since p is large enough, ′ ′ |S | 2ℓ 1 Pr h [a ∈ S ] < < ≤ . ai+1∈R{0,1} i+1 |Aj| p(ℓ) 3k ′ Pr h [a ∈ S ] is the probability that the following holds when a is chosen randomly. ai+1∈{0,1} i+1 i+1 1 |Yes (γ , a )| ≥ ·K . x i i+1 p(ℓ)k+1−(i+1) i+1

| | | | − 1 Since Yesx(γi+1) = Yesx(γi, ai+1) , the probability that (14) is valid is at least 1 3k .

Computational Complexity, by Fu Yuxi Interactive Proof System 87 / 120 Proof of Goldwasser-Sipser Theorem

− 1 · 2 The following inequality is valid with probability greater than 1 3k k = 3 . 1 |Yes (γ )| < ·K . (15) x k p(ℓ) k

The set lower bound protocol has an error probability 1/4. 1 2 · 1 1 The error probability of Goldwasser-Sipser Protocol is < 3 + 3 4 = 2 .

Conclude that IP[k(n)] ⊆ AM[3k(n)] ⊆ AM[k(n)].

Computational Complexity, by Fu Yuxi Interactive Proof System 88 / 120 Theorem. IP[k(n)] = IP[k(n)]+ = AM[k(n)]+ = AM[k(n)], where k(n) > 2.

Let AM[k(n)]+ be the subset of AM[k(n)] with perfect completeness.

Computational Complexity, by Fu Yuxi Interactive Proof System 89 / 120 AM ⊊ PSPACE ?

Theorem. If PSPACE ⊆ P/poly then PSPACE = MA.

If PSPACE ⊆ P/poly, then the prover in the TQBF protocol can be replaced by a P-size circuit family {Cn}n∈N.

Define a prover that simply sends the description of C|x| to verifier.

The verifier can now make use of C|x| without the necessity for any further interaction.

Computational Complexity, by Fu Yuxi Interactive Proof System 90 / 120 Theorem. If coNP ⊆ AM, then PH = AM. Proof. One has NP ⊆ MA+ ⊆ AM+ = AM by definition and coNP ⊆ AM by the assumption, and then PH ⊆ AM by induction.

Corollary. If GI is NP-complete, then PH = AM. Proof. If GI is NP-complete, then GNI is coNP-complete. We will show that GNI ∈ AM, hence coNP ⊆ AM.

Computational Complexity, by Fu Yuxi Interactive Proof System 91 / 120 MIP = NEXP

Computational Complexity, by Fu Yuxi Interactive Proof System 92 / 120 We know that NP ⊆ MA ⊆ AM ⊆ PH ⊆ PSAPCE = IP. We do not know if interactive proof systems are more powerful than P-time NDTMs. It turns out that multi-prover interactive proof systems are strictly more powerful.

1. M. Ben-Or, S. Goldwasser, J. Kilian, and A. Wigderson. Multi-Prover Interactive Proofs: How to Remove Intractability Assumptions. STOC 1988. 2. L. Babai, L. Fortnow, and L. Lund. Nondeterministic Exponential Time Has Two Prover Interactive Protocols. Computational Complexity, 1991 (FOCS’90). 3. L. Fortnow, J. Rompel, and M. Sipser. On the Power of Multi-Prover Interactive Protocols. Theoretical Computer Science, 1994.

Theorem. MIP = NEXP.

Computational Complexity, by Fu Yuxi Interactive Proof System 93 / 120 Provers may decide on any strategy before the game. Once the game started, a prover is only allowed to communicate with the verifier. The verifier can talk to any prover.

The verifier can force a prover to answer in a nonadaptive fashion.

Computational Complexity, by Fu Yuxi Interactive Proof System 94 / 120 Multi-Prover Interactive Proof System

Suppose k, t are polynomial, n is the input length.

A t(n) round k(n)-prover interactive proof system consists of a verifier V and k(n) provers P1,..., Pk(n), the verifier is a P-time PTM, and a prover is a TM (function). The number of messages exchanged between V and P1,..., Pk(n) is t(n).

After the t(n) round interaction, the verifier makes a decision V(x, r, γ1♯γ2♯ . . . ♯γk(n)), where r is a random string, and for each i ∈ [k(n)], γi is the dialogue between V and Pi.

Computational Complexity, by Fu Yuxi Interactive Proof System 95 / 120 Languages Accepted by Multi-Prover Interactive Proof System

A k(n)-prover interactive proof system is said to accept L if for any input x of length n,

1. if x ∈ L, some P1,..., Pk(n) exists such that

1 Pr q(n) [V(x, r, γ ♯γ ♯ . . . ♯γ ) = 1] ≥ 1 − ; r∈{0,1} 1 2 k(n) 2n

2. if x ∈/ L, then for any P1,..., Pk(n),

1 Pr q(n) [V(x, r, γ ♯γ ♯ . . . ♯γ ) = 1] < , r∈{0,1} 1 2 k(n) 2n where q is a polynomial and q(n) is the length of verifier’s random string.

L ∈ MIP if L is accepted by a k(n)-prover IP system for some polynomial k(n).

Computational Complexity, by Fu Yuxi Interactive Proof System 96 / 120 Probabilistic Oracle Turing Machine

A P-time OTM P? accepts L if the following statements are valid: ∈ PO ≥ − 1 1. If x L, then some oracle O exists such that Pr[ (x) = 1] 1 2n . ∈ PO 1 2. If x / L, then for any oracle O, it holds that Pr[ (x) = 1] < 2n .

Lemma. If L ∈ MIP, then L is accepted by a P-time OTM. Proof. Question (x, i, j, d, γ1♯ . . . ♯γk), the d-th bit of Pi’s answer in the j-th round.

Lemma. If L is accepted by an O(nc) time OTM Q?, then L is accepted by a 2-prover interactive proof system. Proof. P Q? P 1 1 1 1 simulates . Use 2 to force nonadaptivity. Error probability < 2n+1 + 2n+1 = 2n .

Computational Complexity, by Fu Yuxi Interactive Proof System 97 / 120 Multi-Prover Interactive Proof System = POTM = 2-Prover Interactive Proof System

L ∈ MIP iff there is a 2-prover interactive proof system (V, P1, P2) rendering true 1&2: 1 ∈ VP P ≥ − 1. Completeness. If x L, then Prr∈{0,1}q(n) [ 1, 2 (x, r, γ1♯γ2) = 1] 1 2n . ′ ′ ′ ′ 1 2. Soundness. If x ∈/ L, then Pr ∈{ }q(n) [VP P (x, r, γ1♯γ2) = 1] < n for all P , P . r 0,1 1, 2 2 1 2

Computational Complexity, by Fu Yuxi Interactive Proof System 98 / 120 Proposition. MIP ⊆ NEXP.

Suppose a POTM Q? accepts L in nc time, and the input length is n. Q? asks at most nc questions, the length of the answers is bounded by nc. There are at most 2nc combinations of the answers. A NDTM simulates Q? for a total of 2nc times, enumerating all possible answers. − 1 If there is a computation path that accepts x by the ratio 1 2n , accepts; otherwise it rejects.

Computational Complexity, by Fu Yuxi Interactive Proof System 99 / 120 ⊆ Proof of NEXP MIP n t T0 01 ……101 ……

T0 0 1 …… 1 0 1 …… T1 C C … C C … C

T1 …… ……

T2 CC… C C … C T2 …… ……

…… ……

…… …… Tt-1 Tt-1 C C … C CC…

Tt 1 …… ……

Tt CC… C C … C

t 1

c Suppose an O(2n ) time NDTM N accepts L ∈ NEXP, and the input x is of length n.

By Cook-Levin reduction, one obtains a CNF ϕx(u) such that N(x) = 1 iff ϕx(u) ∈ SAT.

We may turn ϕx(u) to some 3CNF ψx(u) ^ ^ ⊕ ∨ ⊕ ∨ ⊕ Ci(x, z, f) = ((fi1 yi1 ) (fi2 yi2 ) (fi3 yi3 )) (16) i∈[2nc ] i∈[2nc ]

nc where f :[3·2 ] → {0, 1} and ⊕ is the exclusive or. ψx(u) is of exponential size.

Computational Complexity, by Fu Yuxi Interactive Proof System 100 / 120 Proof of NEXP ⊆ MIP

We code up Ci(x, z, f) in a uniform manner.

B(v, f, V) = (f1(v1) ⊕ V(v1)) ∨ (f2(v2) ⊕ V(v2)) ∨ (f3(v3) ⊕ V(v3)) (17)

where f1(v1), f2(v2), f3(v3) can be calculated in P-time.

V : {0, 1}s → {0, 1}, where s = log(|xz|), is an assignment to the variables xz, and xz are coded up by variables of length s.

Not all combinations of v1, v2, v3 are legal. A copy of the circuit C is uniquely located by two c 0-1 strings u0, u1 of length n . A nondeterministic P-time TM guesses u = u0u1 and checks if ′ ′ v1, v2, v3 are legal. Let B (v, f, u, u ) be obtained by Cook-Levin reduction. The following

B′(v, f, u, u′) ⇒ B(v, f, A)

is a tautology. Or equivalently B′(v, f, u, u′) ∧ ¬B(v, f, A) is not satisfiable.

Computational Complexity, by Fu Yuxi Interactive Proof System 101 / 120 Proof of NEXP ⊆ MIP

′ ′ ′ Let φ(w, A(v1), A(v2), A(v3)) denote B (v, f, u, u ) ∧ ¬B(v, f, A), where w = uu vf. Let A : {0, 1}s → {0, 1} be an assignment.

Now x ∈ L if and only if φ(w, A(v1), A(v2), A(v3)) is not satisfiable if and only if X φ(w, A(v1), A(v2), A(v3)) = 0. (18) w∈{0,1}m

Turn (18) to an arithmetic equality X F(w, A(v1), A(v2), A(v3)) = 0. (19) w∈{0,1}m

Verifier cannot deal with (19) because it is exponentially long.

Computational Complexity, by Fu Yuxi Interactive Proof System 102 / 120 Proof of NEXP ⊆ MIP

m 2k 3 |S| Lemma. Suppose S ⊆ {0, 1} satisfy |S| ≤ . Then Pr k [∃x ∈ S.h(x) = y] ≥ · . 2 h∈RHm,k,y∈R{0,1} 4 2k

" # _ k [∃x ∈ S.h(x) = y] = k h(x) = y Prh∈RHm,k,y∈R{0,1} Prh∈RHm,k,y∈R{0,1} x ∈ S X X 1 ′ ≥ Pr[h(x) = y] − Pr[h(x) = y ∧ h(x ) = y] 2 x∈S x

Hm,k is the eﬀicient pairwise independent Hash function family.

Computational Complexity, by Fu Yuxi Interactive Proof System 103 / 120 Proof of NEXP ⊆ MIP

Suppose (19) fails. m Let U = {w ∈ {0, 1} | F(w, A(v1), A(v2), A(v3)) =6 0}.

d 1. Verifier chooses d ∈R [m] and h ∈R Hm,d and y ∈R {0, 1} , and sends them to one prover. 2. The prover finds some w and sends it to the verifier. 3. The verifier checks if h(w) = y.

3 · 1 By the previous lemma, the following inequality is valid with probability at least 4m m .

F(w, A(v1), A(v2), A(v3)) =6 0. (20)

The probability can be enhanced by repetition.

Computational Complexity, by Fu Yuxi Interactive Proof System 104 / 120 Proof of NEXP ⊆ MIP

Verifier checks (20) using Sumcheck Protocol.

However we have to turn A to a polynomial of low degree. See next section.

Computational Complexity, by Fu Yuxi Interactive Proof System 105 / 120 Proof of NEXP ⊆ MIP

A k(n) round interactive proof system between a POTM verifier V? and a prover P. 1. For each input x, the oracle is supposedly a truth assignment function A. 2. The power of such an interactive proof system is between a 2-prover interactive proof system and a POTM, hence equivalent to both.

Computational Complexity, by Fu Yuxi Interactive Proof System 106 / 120 Interactive Proof for Multilinear Function

Computational Complexity, by Fu Yuxi Interactive Proof System 107 / 120 IP vs MIP

Computational Complexity, by Fu Yuxi Interactive Proof System 108 / 120 Programme Checking

Computational Complexity, by Fu Yuxi Interactive Proof System 109 / 120 “Checking is concerned with the simpler task of verifying that a given program returns a correct answer on a given input rather than on all inputs. Checking is not as good as verification, but it is easier to do. It is important to note that unlike testing and verification, checking is done each time a program is run.”

1. M. Blum and S. Kannan. Designing Programs that Check Their Work. J. ACM, 1995.

Computational Complexity, by Fu Yuxi Interactive Proof System 110 / 120 Checker

A checker for a task T is a P-time probabilistic OTM C that, given a claimed program P for T and an input x, the following statements are valid: ▶ ∀ CP ≥ 2 If y.P(y) = T(y), then Pr[ (x) accepts P(x)] 3 . ▶ 6 CP 1 If P(x) = T(x), then Pr[ (x) accepts P(x)] < 3 .

The checker C may apply P to a number of randomly chosen inputs before making a decision. So even if P(x) = T(x), the checker may still reject P(x).

Computational Complexity, by Fu Yuxi Interactive Proof System 111 / 120 Checker for Graph Nonisomorphism

Suppose P is a program for GNI: ▶ ∼ P(G1, G2) returns ‘yes’ if G1 =6 G2 and ‘no’ if otherwise.

A program checker C for GNI can be designed as follow: 1. P(G1, G2) =‘no’. ▶ 1 1 1 2 1 n 1 Run P(G1, G2), P(G1, G2), …, P(G1, G2), where G1 is the graph obtained from G1 by replacing the first node by a complete graph of n + 1 nodes, …. ▶ Accept if an isomorphism is found, and reject otherwise.

2. P(G1, G2) =‘yes’. ▶ Run the IP protocol for GNI using P as the prover for k times.

Clearly the checker C runs in P-time.

Computational Complexity, by Fu Yuxi Interactive Proof System 112 / 120 Checker for Graph Nonisomorphism

Theorem. If P is a correct program for GNI, then C always says “P’s answer is correct”. If P’s answer is incorrect, then the probability that C says “P’s answer is correct” is less than 2−k.

Perfect completeness.

Computational Complexity, by Fu Yuxi Interactive Proof System 113 / 120 Languages that have Checkers

If L has an interactive proof system where the prover can be eﬀiciently implemented using L as an oracle, then L has a checker.

Theorem. GI, ♯SATD and TQBF have checkers.

Computational Complexity, by Fu Yuxi Interactive Proof System 114 / 120 Random Self-Reducibility

Checkers can be designed by exploring the fact that the output of a program at an input is related to the outputs of the program on some other inputs. ▶ The simplest such relationship is random self-reducibility.

A problem is randomly self-reducible if solving the problem on any input x can be reduced to solving the problem on a sequence of random inputs y1, y2,..., where each yi is uniformly distributed among all inputs.

Computational Complexity, by Fu Yuxi Interactive Proof System 115 / 120 An Example

P n n → n Consider a linear function f(x) = i=1 aixi : GF(2 ) GF(2 ). ▶ Given any x, pick some y randomly. ▶ Compute f(y) and f(y + x). ▶ Compute f(x) by f(y) + f(y + x).

Computational Complexity, by Fu Yuxi Interactive Proof System 116 / 120 Lipton Theorem

Theorem (Lipton, 1991). There is a randomized algorithm that, given an oracle that − 1 × computes the permanent on 1 3n fraction of the n n matrices on GF(p), can compute the permanents of all matrices on GF(p) correctly with high probability.

Computational Complexity, by Fu Yuxi Interactive Proof System 117 / 120 Proof of Lipton Theorem

n×n Let A be an input matrix. Pick a matrix R ∈R GF(p) . Let

B(x) = A + xR.

Clearly perm(B(x)) is a degree n univariate polynomial. For a =6 0, B(a) is a random matrix. So the probability that the oracle computes − 1 perm(B(a)) correctly is at least 1 3n .

Computational Complexity, by Fu Yuxi Interactive Proof System 118 / 120 Proof of Lipton Theorem

1. Randomly generate n + 1 distinct nonzero points a1,..., an+1.

2. Ask the oracle to compute perm(B(ai)) for all i ∈ [n + 1]. ▶ n+1 According to union bound, with probability at most 3n , the oracle may compute at least one of perm(B(ai))’s incorrectly. ▶ − n+1 ≈ 2 So with probability at least 1 3n 3 , the oracle can compute all perm(B(ai))’s correctly. 3. Finally calculate perm(A) = perm(B(0)). ▶ perm(B(x)) is a univariate polynomial of degree n. ▶ Construct the polynomial using interpolation.

Lipton’s algorithm provides a checker for the permanent problem.

Computational Complexity, by Fu Yuxi Interactive Proof System 119 / 120 interaction + randomness + error

Computational Complexity, by Fu Yuxi Interactive Proof System 120 / 120